topic Re: Mapping fields to XSOAR IOCs in Cortex XSOAR Discussions

Mapping fields to XSOAR IOCs

jemeche — Tue, 01 Aug 2023 14:53:53 GMT

I'd appreicate guidance on how to update IOC fields with information extracted from an excuted playbook task.

My use case centers around updating File Hash IOCs to include file signature metadata information to enable easier cleaning up of IOCs associated with known vendors such as Microsoft.

Any assistance is appreciated.

Re: Mapping fields to XSOAR IOCs

gyldz — Wed, 02 Aug 2023 09:28:05 GMT

Hi @jemeche ,

You can make use of tags for that purpose. First, use appendIndicatorField automation to add a tag and then you can use that tag to filter tagged IOCs. I hope this answers your question.

Re: Mapping fields to XSOAR IOCs

MBeauchamp2 — Wed, 02 Aug 2023 13:57:32 GMT

You can also perform mapping to Indicator fields for enrichment data on the Indicator Type itself.

Navigating to Settings -> Object Setup -> Indicators -> Types, and edit the Type you want.

Select Custom Fields, and load the indicator, and you can map the values in the indicators context to fields, which will be set upon enrichment (or re-enrichment for the current indicator after you're done)

Re: Mapping fields to XSOAR IOCs

Azxkolki — Thu, 03 Aug 2023 06:07:16 GMT

Hello,

To update IOCs with file signature metadata, extract relevant information from the executed playbook task. Fetch existing IOCs from the database, match file hashes with extracted data, and update corresponding fields. Save the updated IOCs back to storage. Automate the process for regular updates. Prioritize security and access controls while handling sensitive information. Validate data accuracy regularly and test automation in a controlled environment before deployment. Use appropriate tools and scripting capabilities for implementation. Ensure compliance with security protocols and consider integrating with security automation platforms for efficiency.

Best regard,